[openssl-dev] [openssl.org #4507] Bugs due to missing error handling
Yuan Jochen Kang via RT
rt at openssl.org
Mon Apr 11 03:44:12 UTC 2016
Dear OpenSSL developers,
We are security researchers at Columbia University and the University of
Virginia. As part of a research project, we have built a tool for
automatically finding error handling bugs and are testing it on various
cryptographic libraries and applications that use them.
In version 1.0.1s, we discovered various instances where function calls
are not checked for failures, which could lead to silent errors in the
user output.
Please let us know how you intend to address these issues.
1, When bio_out is NULL, it can still be used, and the function would
return the non-error value, 0, instead of maybe another error exit value:
apps/prime.c, lines 108, 128, 136, 144:
int MAIN(int argc, char **argv)
{
...
if ((bio_out = BIO_new(BIO_s_file())) != NULL) {
...
}
BIO_printf(bio_out, "%s\n", s);
...
BN_print(bio_out, bn);
BIO_printf(bio_out, " is %sprime\n",
BN_is_prime_ex(bn, checks, NULL, NULL) ? "" : "not ");
...
return 0;
...
}
2, SSL_write should be checked for a non-positive error value, before
the output buffer is overwritten with data from SSL_read.
apps/s_time.c, lines 427, 485, 522:
int MAIN(int argc, char **argv)
{
...
SSL_write(scon, buf, strlen(buf));
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
...
SSL_write(scon, buf, strlen(buf));
while (SSL_read(scon, buf, sizeof(buf)) > 0) ;
...
SSL_write(scon, buf, strlen(buf));
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
...
}
Thank you,
Yuan Kang
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4507
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list